Overview

overview

10

Static

static

3

3a7ac1ac60...18.exe

windows7-x64

10

3a7ac1ac60...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe

  • Size

    311KB

  • MD5

    3a7ac1ac60baac512bf45e412aacb90c

  • SHA1

    d579493a2190a8f6f44a9094148a494c5368cdc7

  • SHA256

    5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715

  • SHA512

    08c3a3861a092eb7e39f6aa7255b36e2bf54b1f7a15b7fb76ac5f94269e7879e3a27187af2ee11f7215f5796e35ecd9146d04744ab4a4e01fb29a137589963b9

  • SSDEEP

    6144:mLVf3fw4e0wZ4EJjz9QkLOfIf/Hp9hLVxCygVM:4IjZZ4IH9QkOfIfPhJxC9

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c_JaffaCakes118.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 328
        3⤵
        • Program crash
        PID:544
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4112 -ip 4112
    1⤵
      PID:3400
    • C:\Users\Admin\AppData\Roaming\wjsfhdf
      C:\Users\Admin\AppData\Roaming\wjsfhdf
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Users\Admin\AppData\Roaming\wjsfhdf
        C:\Users\Admin\AppData\Roaming\wjsfhdf
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:3028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 328
          3⤵
          • Program crash
          PID:2280
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3028 -ip 3028
      1⤵
        PID:2688

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\wjsfhdf
        Filesize

        311KB

        MD5

        3a7ac1ac60baac512bf45e412aacb90c

        SHA1

        d579493a2190a8f6f44a9094148a494c5368cdc7

        SHA256

        5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715

        SHA512

        08c3a3861a092eb7e39f6aa7255b36e2bf54b1f7a15b7fb76ac5f94269e7879e3a27187af2ee11f7215f5796e35ecd9146d04744ab4a4e01fb29a137589963b9

        Download Submit

      • memory/1376-17-0x00000000017C0000-0x00000000018C0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3028-24-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/3380-6-0x0000000003260000-0x0000000003276000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3380-20-0x0000000003290000-0x00000000032A6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3548-1-0x0000000001980000-0x0000000001A80000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3548-2-0x0000000001920000-0x0000000001929000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4112-3-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4112-4-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4112-5-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4112-9-0x0000000000410000-0x00000000004D9000-memory.dmp

        Filesize

        804KB

        Download

      • memory/4112-10-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download